A trio of MIT students found security weaknesses in the MBTA,
the Boston public transporation system, colloquially known as "the T". The students
were going to present their findings at Defcon, that is, until
a judge ordered them not to.

Of course, the injunction did far more to spread the news than the talk alone
would have, including making public the students' whitepaper about the vulnerabilites.
Their slides, Anatomy of a Subway Hack
are also online, including a photo of an over-the-top modded shopping cart that
they somehow used as part of their work.

How many times do we have to see this story played out? A system is deployed
with poor security, someone figures out the weaknesses, tries to talk about it,
and is sued to prevent disclosure, only making the information even more available
to the public. These injunctions are like putting a flashing red light on top of
something: they only attract more attention to the situation. The presentation
slides have already been distributed to all Defcon attendees, that toothpaste is
not going back in the tube.

The MBTA should either decide that this is not that big a deal (how many people
are really going to hack RFID cards to get on the T for free?), or get to work
designing improvements. And they should hire these students to crack the new
system before it's deployed.

Comments

On the channel 7 news tonight, the reporter tells us that the MBTA says there are "no flaws in their security". Yeah, right. OTOH I suppose that it is technically true that there are no flaws in their security, since the whitepaper clearly shows that they don't actually have any security.

The swipe card reader has to read and then write magnetic record in only one swipe, with the encoding that has to tolerate occasional errors. I don't think that it is possible to make much more secure solution that would allow almost free cards. More secure solution would have to store more information, more densely packed on the magnetic strip, and thus more likely to be damaged in my pocket next to my keys.

It seems that the RFID uses one of the strongest encryptions possible for the low power CPU. The card has neither the batteries nor the heat sink that you are used to in your laptop.

If the city managed to make the perfect solution (which will be breakable in a few years of CPU improvement at Moore's law rate) then they would saddle the tax payers or riders with hundreds of thousands of dollars of cost. As opposed to losing a few hundred dollars on the hands of a capable hacker who will do it for fun.

The court decision is correct in this case, from the common sense perspective.

@Zoran: you say the court decision is correct from a common sense perspective, but I think you are wrong. What was the MBTA's goal? To keep the information from becoming well known. Did the court's decision achieve that goal? Hardly. If anything, it made matters worse.

If the MBTA believes that its security is the best that could be achieved, then they should accept the consequences of their design. Trying to muzzle discussion of their (public) system is pointless and will only hurt their efforts.

BTW, Here's a radical proposal: make the T free. Then we wouldn't need any of this infrastructure, and wouldn't have to worry about its security. We wouldn't have to spend tax dollars to build this bogus system, we could spend them on providing public transportation. Roads are nearly 100% subsidized infrastructure for cars, why not provide subsidies for alternatives to cars? It would also speed service, since people could board trolleys faster without stopping to pay, and could use all the doors on the trolley instead of just the front door to get on.

Ned, I do agree that MBTA would be better off just letting it slide. The court, however, made the correct decision. MBTA lawyers might know of a reason I don't know about (e.g. making it hard to go after fare evasion if you knew of an infringment previously and didn't stop it).

I used T only a couple of times. From what I observed, I could not agree more: making it free would save money. However, a free subway in New York City would probably attract a lot of homeless people, or poor people who would otherwise walk a couple of blocks to work. People also tend to take less care of things that they perceive are free. Plus tourists get to ride for free making congestion at rush hour while not paying taxes.

This "radical proposal" of free worked for online newspapers, and did not work in socialism (health care, education, roads - all free but crummy). It would be great if Boston did the first experiment.

MantisBot 10:38 AM on 25 May 2009

For an example of a quite successful (and relatively cheap) RFID subway card system, check out Korea's T-Money system (wiki it!). I've had the same card for 2 years now and still no problems. Well, other than that I just dis-assembled it today... FOR GREAT PROGRESS!